With cyber attacks soaring, what risk does your company face? Your brand, your reputation and the trust of your customers. Without those, you’re not going to be in business very long. So cyber security is the number one task of every organization.
The number of cyber attacks worldwide has nearly doubled, increasing by 48 percent last year to 42.8 million, or the equivalent of 177,339 incoming attackers per day. When it comes to data breaches, it’s not a matter of if but when, according to speakers at the National Risk Retention Association’s conference in September. It doesn’t matter how big you are or how small; every organization is at risk.
Even a multinational like Costco, with a large IT team and multiple layers of security, can be vulnerable. Costco customers recently received an email prompting them to download a program that enabled hackers to retrieve credit card and other valuable information. Costco has now placed warnings on its websites cautioning customers against opening such emails.
The Broadway Grill and other Washington restaurants saw their point-of-sale systems hacked, resulting in stolen customer credit card information and $1.7 million in losses to banks and credit card companies. A Russian man was indicted for the hacking.
Eighteen independent Dairy Queen franchises in Washington and Oregon were affected by the “Backoff” malware intrusion. Hackers used a third-party vendor’s compromised account credentials to gain access to payment systems and credit card details.
Often, the hackers use information about the victims to commit fraud. An executive at a Washington-based, multilocation hotel company accepted a deceptive email request for a typical “funds transfer” from what appeared to be the firm’s international investor — and $100,000 was fraudulently transferred to an offshore bank account. Luckily, the hotel was insured and was able to recover most of the loss. It is implementing new safeguards to keep this from happening again.
“Effective, low-cost mechanisms are typically already in place to shield against many elements of cyber threat,” says Larry Clinton, president of the Internet Security Alliance, “but too often executive leaders wait until their systems are compromised to put a reactive plan into action, thus damaging their company’s reputation and unexpectedly incurring additional costs.”
At The Partners Group, we’ve found a need for greater understanding of cyber threats and for developing a framework to address it. Human behavior is the biggest organizational vulnerability. IT efforts are typically “siloed” if IT operates independently from the rest of the organization. This silo effect is one of the things we encounter when we help clients manage cyber risk.
To be effective, cyber risk management must be strategic and enterprise-wide with a cross-departmental, integrated approach. Everyone needs to understand the economic value and importance of managing data. A useful resource for developing an enterprise-wide framework for addressing cyber risk is The Financial Management of Cyber Risk by the Internet Security Alliance and American National Standards Institute. Download it at this site: webstore.ansi.org/cybersecurity.
In spite of all your best efforts, data breaches will likely occur at some point. The insurance industry has responded to this emerging risk by offering significant coverage that provides not only funds to pay those who are harmed by the data breach (“third-party” risks), but also to pay your own (“first-party” risk) costs. (See cyberliabilitycoverage.net for coverage examples.) A good insurance broker will help clients not only place this insurance but also help them assess the risks, including how to establish limits of liability and determine your values at risk from cyber exposures.
Hackers are smarter than we are, but we’ve got to stay ahead of them. Anyone can be breached, so we must analyze, test, report and audit. We also need to review our plans regularly, and make sure our budgets are adequate as we stay in touch and up to date with what needs to be done. We must do more, better, faster, deeper and broader.
Don Jenkins is director of risk management services practice at The Partners Group in Bellevue. Jordan Stair is a commercial insurance broker specializing in risk management for entertainment, human services and hospitality businesses.